Web is hard, reARMSEC aka ARMSec 2020
At this year’s Armsec seventh annual information security conference - reARMSEC, I made a small presentation (Google slides, PDF version) on why the modern web is hard describing HackerOne’s top 10 most impactful and rewarded vulnerability types for 2020. As for the real-life examples of the bugs, I gathered reports mostly from HackerOne’s Hacktivity.
XSS (Cache Poisoning):
- HackerOne report #394016, XSS on Discourse by Sergey Bobrov
- HackerOne report #415168, XSS on QIWI by Sergey Bobrov
XSS (DOM):
- XSS on Google Search (closure), mXSS by Masato Kinugawa
- serialization bug in <noscript> by Michał Bentkowski
- HackerOne report #876148, DOM XSS on DuckDuckGo by Predrag Cujanović
uXSS:
- Semi Universal XSS affecting Firefox for iOS, CVE-2019-17004 by Cliqz
- uXSS in Chrome on iOS, CVE-2018-6128 by Tomasz Bojarski
Electron:
- Microsoft Teams zero click xss by Oskars Vegeris
- Discord RCE by Masato Kinugawa (not in slides, but definitely a must read)
AAA vulnerabilities:
- Exploiting e-mail systems by Inti De Ceukelaire
- HackerOne report #493324, privilege escalation to gitlab admin by Anton Subbotin
- Facebook Access Token Security Breach (30 million accounts) by 👻
- HackerOne report #605720, vertical privilege escalation on HackerOne by Vladimir Metnew
- HackerOne report #663431, IDOR on HackerOne by Jobert Abma
- Facebook account takeover via recovery code bruteforce by Anand Prakash
Information Disclosure:
- HackerOne report #396467, Snapchat’s github token leaked publicly by Majd
- HackerOne report #885539, Twitter private list members disclosure via GraphQL by RyotaK
- HackerOne report #489146, confidential data of users and limited metadata of programs and reports accessible via GraphQL on HackerOne by Yash Sodha (not in slides, but definitely a must read)
SSRF:
- HackerOne report #347139, LFI and SSRF via XXE on Rockstar Games by Alex Birsan
- HackerOne report #923132, redirect SSRF on Dropbox by Sayaan Alam
- HackerOne report #541169, SSRF via DNS rebinding on Gitlab by Alex Chapman
- HackerOne report #530974, Server-Side Request Forgery using Javascript on Snapchat by Ben Sadeghipour
CSRF:
SSTI:
Insecure Deserialization:
SQL injection:
- HackerOne report #137956, Error based SQL injection on Mail.ru by Vahagn Israelian
- HackerOne report #10037, Boolean based SQL injection on Mail.ru by Vahagn Vardanian
- HackerOne report #786044, Time based SQL injection on Mail.ru by Austin Augie
- HackerOne report #852306, SQLI Wildcard Injection on Mail.ru by Alexey (bazzy)
To learn more (I’ll try to update this list constantly):
- Books - Web Application Hacker’s Handbook, Web Hacking 101, The Tangled Web, The Art of Software Security Assessment
- Writeups - HackerOne’s Hacktivity, bugcrowd’s CrowdStream, CTFtime.org writeups
- Labs - PortSwigger Web Security Academy, TryHackMe, hackxor, OverTheWire: Wargames
Follow these people/pages - https://twitter.com/davwwwx/following